It is often referred to as a packet filter as it examines each packet transferred in every network connection to, from, and within your computer. iptables replaced ipchains in the 2.4 kernel and added many new features including connection tracking (also known as stateful packet filtering).1
This means that the configuration for the firewall is set to "deny all connections" by default and the only way to establish connections between to point or two entity, we have to explicitly add new rules for them.
The term "INPUT" refers to any packet that is coming to this computer, "OUTPUT" means any packet that is generated by this computer and is leaving it. The term "FORWARD" also means the packets that are arriving from another computer but their final destination is one other computer. In fact we have used this computer to transit the packets between two different computers. The term "DROP" means that "the packet is not allowed through the firewall and the sender of the packet is not notified."2
In our firewall rule set, as you have seen above in section one, all incoming and outgoing packets are dropped unless we add new rules that allow our system to deal with. We have only allowed the system to use one connection by defining only one connection named "eth0" in the rules as follows:
# allow connections to my DNS servers
-A OUTPUT -d 184.108.40.206 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
# allow outgoing connections to web servers
-A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT
-A OUTPUT -m state --state NEW -p tcp --dport https -o eth0 -j ACCEPT
# allow outgoing mail connections to my ISP's SMTP and POP3 server only
-A OUTPUT -d 220.127.116.11 -m state --state NEW -p tcp --dport smtp -o eth0 -j ACCEPT
-A OUTPUT -d 18.104.22.168 -m state --state NEW -p tcp --dport pop3 -o eth0 -j ACCEPT
As you can see, the rules above, allows the system for DNS access, allows to access to the web pages (http) and secure web pages (https).
3. The machine runs ssh and telnet.
In order to add to add these rules we need to add the following lines to our firewall rule:
# The machine runs SSH and TTELNET
-A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT
-A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT
4. The apache user, should not be allowed to surf the web.
# Do not allow incoming outgoing connections to web servers for apache (22.214.171.124)
-A INPUT -d 126.96.36.199 -m state --state NEW -p tcp --dport http -o eth0 -j REJECT
-A INPUT 188.8.131.52 -m state --state NEW -p tcp --dport https -o eth0 -j REJECT
-A OUTPUT -d 184.108.40.206 -m state --state NEW -p tcp --dport http -o eth0 -j REGECT
-A OUTPUT 220.127.116.11 -m state --sta